Phony WhatsApp gets downloaded 1M times before removed by Google

A fake WhatsApp download has been removed from Google Play. They have also suspended the account of the developer. However, the app has been downloaded more than one million times.

The app was called Update WhatsApp Messenger and what was said by some Redditors that the adware was connecting to the internet for additional Androip APK downloads to the infected devices.

One Reddit user named Dextergenius has decompiled the APK and found out that it is an ad-loaded wrapper which has a secondary code that downloads a second APK. He also noticed that the app tried to hide itself by not having a title and having a blank icon.

As of this writing, Google has confirmed that the download has been removed and account has been suspended for program policy violations.

Although Google is successful in catching malicious and unwanted mobile apps on Google Play, a lot of people got fooled by it.

“One Redditor with the handle rookie_e pointed out that the listing for this app included an extra space after the name: ‘WhatsApp Inc. ‘ The space was instead a Unicode character that looked like a space with a hex code C2A0 allowing it to slip past Google’s malware scanners for its marketplace.”

It is a standard practice for google to scan Android Apps that has been submitted to them before getting published. They have taken steps as well to catch malicious apps earlier in the process before it reaches the users.

Last May, Google had introduced a safety feature called Play Protect. It maintains an oversight on the content that had been downloaded to an Android device. Basically the downloaded app can be continually scanned for malicious behavior to counter in the event a benign app decides to connect and download malicious content. It is also effective against 3rd party apps that are downloaded via other means.

Malicious apps developer intentionally use Unicode to slip in these unwanted apps to fool Google Play and the Chrome Store. They also employ this method to falsify domain names and they have dubbed it as Punycode. This tricks Chrome into bringing users to sites that appear legitimate which sometimes convince victims to enter personal information, login credentials or financial credentials and information.